In each of the SophosLabs locations, we regularly have visits from customers, prospects, reporters and even television crews where we are asked either to demonstrate a latest piece of malware, or to provide an understanding about how we go about protecting customers against spam, malware and web threats.
Visitors do appear to have preconceived ideas on what we do: poring over our monitors, reverse engineering every single piece of malware and spam, etc. The reality is slightly different – with thousands of pieces of malware, thousands of compromised websites and millions of spam messages discovered every day, the vast majority of our work is automated, and the role of the analyst is to focus on providing proactive generic detection to stop the threats we haven’t yet even seen.
So the atmosphere in the lab is calm and focused, but to visitors there might not seem like there is that much to see.
Yes, when we demonstrating our malware analysis tools, there is a little more to show. The same goes for the web threat analysis because we can illustrate the staggering volume and variety of attacks. that we encounter every day.
Demonstrating spam operations has always been a challenge though. Most of the analysis is done automatically, and the analyst reviews only a small selection of the most recent messages to make decisions on borderline cases before returning to focus on enhancing the automation. Not very exciting to watch.
A couple of weeks ago, we received a request about a TV crew wishing to visit and film a documentary about spam. The problem was how to make spam “˜visual’ enough for television. Enter Google Earth. That weekend, I read up on the file format used by Google Earth to mark locations (KML) and requested that one of our systems developers make a simple modification to our existing reporting tools to output the data in the right format. Presto! We had the prevalence of spam plotted, a constantly updated view of the most recent spam messages being sent around the world.
As an added visual bonus, I also put together a detailed anatomy of an integrated spam, malware and web attack following the sequence of events from the source of the spam to the location of each of the websites in the infection chain.
The demonstrations have gone ahead and were well received: they really showed in a visual manner the sheer size and global nature of the spam problem. My problem now, is that there has now been a constant stream of “Could we do …. ?”, “It would be great if you could show …?” or “How can we…?”. The answer to nearly all these questions is usually “Yes”, but unfortunately, as powerful and as exciting visually as Google Earth is, it doesn’t actually help us in the fight against spam, malware and web threats. Am I really devoted enough to give away my weekend to making demos with Google Earth? My kids certainly would complain!
Working is SophosLabs is fascinating and interesting work, and there is a level of excitement when you beat the bad guys, but the truth is that it is often more like a game of chess than the purported crime lab in that TV show “CSI”. The use of spinning globes, or hi-resolution graphical representations of malware don’t really help us save the world of hackers, malware and spam. The tools and systems we have developed that we think are cool, do amazingly complicated stuff to offer the best protection to our customers, but they are not very good at keeping visitors to the labs entertained.
One final point, because of Google Earth’s addictive properties, it’s included in the applications that can be controlled by Sophos Endpoint Security and Control.